Partner POV | What Does TLStorm Mean for Medical Device Security in Healthcare
In this article
Article written and provided by Armis.
TLStorm is a collection of three critical vulnerabilities discovered by Armis that affect Rack UPS devices (uninterruptible power supplies) that could enable attackers to:
- Execute a ransomware attack on the power supply to a data center.
- Vary voltage on critical equipment to cause damage or downtime.
- Cause the UPS to heat up, smoke, and ignite.
Rack UPS devices are used across hospitals, data centers, and industrial facilities worldwide. The three critical vulnerabilities, collectively called TLStorm, expose more than 20 million enterprise devices worldwide. In healthcare facilities, they could enable attackers to bypass security features and remotely take over or damage critical medical and Internet of Medical Things (IoMT) devices or even cause a fire in a data center.
Two of the three TLStorm vulnerabilities are remote code execution (RCE) vulnerabilities in the Transport Layer Security (TLS) connection (SmartConnect) between the UPS and the cloud. Attackers can trigger these vulnerabilities using an unauthenticated network packet without user interaction, allowing for remote management of the device.
The third vulnerability is a design flaw that relates to unsigned firmware on affected devices not being cryptographically signed in a secure manner. This enables attackers to install malicious firmware via the Internet, the LAN, or a USB thumb drive and establish a network stronghold for carrying out more attacks.
In healthcare, TLStorm highlights the risks posed to medical devices and the importance of holistic medical device security. With unmanaged and unagented assets, such as UPS devices, becoming the prime target for malicious actors, it's more important than ever to have complete visibility of all assets, along with the ability to monitor their behavior and identify exploitation attempts of any security holes, such as with TLStorm.
Medical Device Security and the Threat of TLStorm
Around 91 percent of healthcare and medical clients relying on the Armis platform worldwide use some type of UPS, and according to Armis data, more than 76 percent of organizations using Rack UPS devices are vulnerable to TLStorm. Armis customers can immediately see the vulnerable devices and remediate the TLStorm vulnerabilities, but the potential risks for those who can't are serious.
In healthcare, where patient safety is paramount, the ecosystem relies on a host of assets, in addition to traditional medical devices, to support care delivery services. And since the impacted UPS devices are often used within hospitals and clinics, not just in data centers, attacks could directly impact patient care and outcomes.
To improve patient and operational safety, hospitals must identify and monitor unmanaged and unagented endpoints that support the clinical workflow and connect with or support biomed devices. Only through continuous device monitoring can healthcare organizations mitigate threats such as those posed by TLStorm.
Mitigating Risk Exposure
The discovery of TLStorm vulnerabilities underlines how much is unknown about devices within healthcare and other industrial environments And given the stakes in healthcare, it underscores the need to act and protect medical devices against malicious attacks.
Having a cybersecurity defense plan for medical devices is critical for all of today's connected healthcare organizations. The FDA and the European Union Agency for Cybersecurity (ENISA) offer guidelines to help IT teams manage medical device security. Both are a good starting point for improving IoMT security.
How Visibility Can Help Solve Medical Device Security Challenges
To protect operations from threats and maintain patient trust, today's healthcare organizations need complete asset visibility. The Armis platform uses passive monitoring and insights from the world's largest device knowledgebase to give your team near real-time insights into everything from unmanaged and managed devices with vulnerabilities to active attacks. It can even integrate with your existing solutions to disconnect or quarantine devices behaving suspiciously.